I think as late as last year, AT&T Prepaid was still using the "paygoonline.com" domain which was an acquisition in 1995.

Neobotnet runs web reconnaissance data for public bug bounty programs. Each week it reads one public bug-bounty program's surface top-down — DNS, HTTP, JS bundles, URL params — and writes up what the architecture gives away.

The T-Mobile scope isn't one company. It's four acquisitions plus an ad arm, and you can read how far each integration actually got purely from where the login pages are hosted:

    t-mobile-bounty-scope/
    │
    ├── t-mobile.com  ← own apps · MERGED (single Entra tenant)
    │   ├── account.t-mobile.com        Entra / Azure AD · edge Akamai
    │   ├── *.docs.t-mobile.com ×24     Entra — MS "Sign in" page
    │   ├── alm · billerdirect ·
    │   │   dealerorder · phys-access    Azure AD App Proxy (msappproxy.net)
    │   └── sts.t-mobile.com            ADFS — legacy fed · on-net, no CDN
    │
    ├── metrobyt-mobile.com  ← MetroPCS · folded into T-Mobile prepaid
    │
    ├── sprint.com  ← Sprint (merged 2020) · NOT merged
    │   ├── idam.sprintdrive.sprint.com OAuth · still issuing, 5 yrs on
    │   ├── autodiscover.sprint.com     Exchange autodiscover · Outlook
    │   └── assurancewireless.com       Lifeline prepaid · via Sprint
    │
    ├── uscellular.com / uscc.com  ← US Cellular (acq. 2024) · NOT merged
    │   ├── login.uscellular.com        SAML /idp/SSO.saml2 · Cloudflare
    │   └── login-sqa.uscellular.com    QA SAML, public · same edge as prod
    │
    └── blis.com + *.audience.com ×7  ← T-Mobile Advertising / Blis
        ├── imply.t-ads.blis.com        Imply login · T-Mobile Ads
        └── imply.publicis.blis.com     Imply login · Publicis agency

Worth stating plainly: across all 107,899 indexed URLs there were no creds, no cloud keys, no PII in parameters. Pretty clean infra so far.

There's a verify-it-yourself deep link under every claim in the writeup. Happy to get into the method, or where the detector's still noisy.